The DPA requires the data controller to have a written contract… requiring that the “data processor is to act only oninstructions from the data controller” and “the data processorwill comply with security obligations equivalent to thoseimposed on the data controller itself.”

Cloud customers should take care if a cloud provider offers a‘take it or leave it’ set of terms and conditions without theopportunity for negotiation. Such contracts may not allow thecloud customer to retain sufficient control over the data inorder to fulfil their data protection obligations. Cloud customersmust therefore check the terms of service a cloud provider mayoffer to ensure that they adequately address the risks discussedin this guidance

It’s important to note that all cloud services are not createdequal. Clear policies and procedures should be agreed betweenclient and cloud provider for all security requirements, andresponsibilities for operation, management and reportingshould be clearly defined and understood for each requirement

Without adequate segmentation, all clients of the sharedinfrastructure, as well as the CSP, would need to be verified asbeing PCI DSS compliant in order for any one client to beassured of the compliance of the environment.This will likelymake compliance validation unachievable for the CSP or anyof their clients